US hires company to hack into video gaming systems
By MATTHEW M. BURKE | STARS AND STRIPES Published: April 6, 2012
SASEBO NAVAL BASE, Japan — The U.S. government has hired a California-based company to hack into video game consoles, such as Xbox 360 and PlayStation 3, to watch criminals, especially child predators, and learn how to collect evidence against them.
The $177,000 contract with Obscure Technologies of San Rafael, Calif., is being executed by the U.S. Navy on behalf of the Department of Homeland Security because of the Navy’s expertise in the field, officials said.
Under the contract, Obscure Technologies will purchase used gaming systems from abroad that are believed to hold “sensitive information from previous users” and try to hack into them. Obscure’s experts will then report back on how they gained access to the systems, provide instructions to obtain users’ chat room activity, and even report back on the data gleaned, according to the contract and tasking documents.
Obscure will also purchase new systems and construct a device that can capture data and activity, the documents state.
“Today’s gaming systems are increasingly being used by criminals as a primary tool in exploiting children and, as a result, are being recovered by U.S. law enforcement organizations during court-authorized searches,” Naval Postgraduate School associate professor Simson Garfinkel, a computer forensics expert executing the contract, wrote in a statement to Stars and Stripes. “We hope to provide to DHS tools for assisting law enforcement in analyzing video game systems that are recovered during the course of law-enforcement operations.”
Due to privacy concerns, no one from the U.S. will be subject to the hacking ... yet, Navy officials said last week.
Christopher Soghoian, a Washington-based Open Society fellow and a graduate fellow at the Center for Applied Cybersecurity Research, disagrees with the government’s reasoning behind the work.
Soghoian said smartphones and laptops can be outfitted with sophisticated encryption software, while video game consoles cannot as of yet. Thus, criminals are more likely to use those mediums. He also questioned the motives of the federal government.
“The possible use of this is chilling,” Soghoian said, referring to the hacking technology. “It is more than likely this will be used against Americans in the long run.”
Over the past few decades, video game systems have grown in sophistication and capabilities by leaps and bounds. Consoles like the Nintendo Wii, Sony PlayStation 3, and Microsoft Xbox can be found in many U.S. households and are popular among servicemembers, with Internet access and hard drives that rival personal computers.
With these advances, Garfinkel said, the systems have become a playground of illegal activity for criminals.
In 2008, law enforcement agencies contacted the DHS’s Science and Technology Directorate and requested help in analyzing gaming systems seized during court-authorized searches, Garfinkel said. While some tools exist to extract data from gaming consoles, the consoles are hard to crack as they are designed with copyright protection systems, he said.
Obscure Technologies was the sole company found with the expertise to execute the contract, which will run through July, the contracting and tasking documents state. Obscure’s lead scientist reverse-engineered the Xbox.
While Soghoian lauded the government for pledging to release the research publicly after it is concluded, he said that creating the hacking tools isn’t the concern. The concern lies in what they will be used for after the research is concluded, and by whom.
Navy and DHS officials declined to comment on whether the gaming consoles of Americans will ever be hacked and monitored. They also declined to comment as to whether the system manufacturers had been approached about this research.
Gregory May, owner of Obscure Technologies, declined to comment.
The documents only state that no Americans will be hacked during the research phase.
“We do not wish to work with data regarding U.S. persons due to Privacy Act considerations,” Garfinkel said. “If we find data on U.S. citizens in consoles purchased overseas, we remove the data from our corpus.”
Soghoian said while the government is acknowledging that it would be wrong to hack Americans during the research phase, it appears there’s little concern for the privacy rights of foreign nationals.
He also warned U.S. citizens about selling used consoles online.
“You should think twice before selling a used system on eBay,” he said. “DHS probably is not alone in buying these things and taking them apart.”